Millions of mobile phones at risk of hacking

A system dating back 40 years has been identified by researcher Karsten Nohl as the cause for modern day Sim card insecurities.

The German security expert found that Sims could be hacked in 2 minutes using a standard home computer. By sending a specially designed text message, Nohl's team of researchers were able to remotely upload malware onto the vulnerable devices via the Sims.

What information is at risk?

Nohl stated that Sims not only provide a mobile phone number but often store personal data and are how operators authenticate users. He said:

"The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets."

The text message sends a false digital signature to devices, allowing access to security information that is supposed to protect the identity of the user. With billions of mobile users worldwide, Nohl identified that one particular standard as predominantly insecure; the Data Encryption Standard (DES), which dates back to the 1970s.

DES has long been considered a vulnerable product, but Nohl's discovery has placed Sims at high risk of security breach, meaning mobile network operators have been put under pressure to rectify the issue. It is thought that one in eight Sims are at risk, the most vulnerable being in Africa.

Older standards

Nohl has provided industry body GSMA with his research and is set to disclose full details as to the method of the hacking at a Black Hat Security Conference on 31 July.

A spokeswoman for GSMA has said:

"Karsten's early disclosure to the GSMA has given us an opportunity for preliminary analysis, it would appear that a minority of Sims produced against older standards could be vulnerable.

"There is no evidence to suggest that today's more secure Sims, which are used to support a range of advanced services, will be affected."

Daniel Nolan, managing director at theEword said: "Hacking is a major issue at the moment with an increasing number of large companies facing privacy breaches in various areas of the technology industry.

"We've seen Ubisoft, Sony and over the last few days Apple's developer site hacked, so vulnerabilities in security won't be tolerated by users for much longer so identifying a risk such as this is vital so it can be solved quickly."